# SARIF reports You can import [Static Analysis Results Interchange Format (SARIF)](https://docs.oasis-open.org/sarif/sarif/v2.1.0/sarif-v2.1.0.html) reports into SonarQube Server. The issues will be taken into account by SonarQube Server in the analysis report, but the rules corresponding to these issues will not be visible on the **Rules** page nor reflected in quality profiles. This means that the rules that raise external issues must be managed in your third-party tool. ## Import process SonarQube Server manages the import of a SARIF issue as follows: * It assigns the `CONVENTIONAL` coding attribute and the `SECURITY` software quality to the issue. * For MQR Mode, it maps the issue's severity level on the SECURITY software quality using the following fields: * `runs[].tool.extensions.rules[].defaultConfiguration.level` is overridden by * `runs[].tool.driver.rules[].defaultConfiguration.level` * For Standard Experience, it maps the issues severity level on the Vulnerability type * `runs[].tool.extensions.rules[].defaultConfiguration.level` is overridden by * `runs[].tool.driver.rules[].defaultConfiguration.level` is overridden by * `runs[].results[].level` {% tabs %} {% tab title="MULTI-QUALITY RULE MODE" %} | **Severity field in SARIF 2.1.0** | **Impact level in SonarQube Server** | | --------------------------------- | ------------------------------------ | | error | HIGH | | warning | MEDIUM | | note | LOW | | none | LOW | * Otherwise, the default MEDIUM impact level is applied. {% endtab %} {% tab title="STANDARD EXPERIENCE" %} | **Severity field in SARIF 2.1.0** | **Impact level in SonarQube Server** | | --------------------------------- | ------------------------------------ | | error | CRITICAL | | warning | MAJOR | | note | MINOR | | none | LOW | * Otherwise, the default MAJOR impact level is applied. {% endtab %} {% endtabs %} See [software-qualities](https://docs.sonarsource.com/sonarqube-server/2025.2/user-guide/rules/software-qualities "mention") and [standard-experience](https://docs.sonarsource.com/sonarqube-server/2025.2/instance-administration/analysis-functions/instance-mode/standard-experience "mention") for more details. ## Setting up the import To set up the import of SARIF reports into SonarQube Server: 1. Prepare your SARIF report files according to the import file specifications below. 2. Use on the scanner side the [analysis-parameters](https://docs.sonarsource.com/sonarqube-server/2025.2/analyzing-source-code/analysis-parameters "mention") `sonar.sarifReportPaths` to define the list of SARIF report files to be imported during your project analysis. This parameter accepts a comma-delimited list of paths. ## Import file specifications The SARIF files must: * Be UTF-8 file encoded. * Comply with the [official SARIF format, version 2.1.0](https://docs.oasis-open.org/sarif/sarif/v2.1.0/sarif-v2.1.0.html). ### Mandatory fields | Field | Description | | ------------------------------- | ------------------------------------------------------------------------- | | `version` | Must be set to "2.1.0". | | `runs[].tool.driver.name` | Name of the tool that created the report. | | `runs[].results[].message.text` | Message of the external issue. | | `runs[].results[].ruleId` | Identifier of the corresponding rule in the tool that created the report. | {% hint style="info" %} If a mandatory field is missing, the report is ignored (see the corresponding line in the logs). {% endhint %} ### Optional fields

Field	Sub-field	Description
`runs[].tool.driver`		The tool that generated the report.
`runs[].tool.driver.rules[]`	`id`	Identifier of the rule of the tool that created the report.
	`shortDescription.text`	Short description is mapped as the name of the rule in SonarQube. If the field is empty, SonarQube constructs the name based on the driver `name` and `id` fields.
	`fullDescription.text`	Full description of the rule.
	`defaultConfiguration.level`	SonarQube uses this field to determine the issue's impact level on vulnerability for Standard Experience and security for MQR Mode.
`runs[].tool.extensions.rules[]`	`defaultConfiguration.level`	SonarQube uses this field to determine the issue's impact level on vulnerability for Standard Experience and security for MQR Mode, if the driver field `runs[].tool.driver.rules[].defaultConfiguration.level` above is not used.
`runs[].results[]`	`level`	Used to map the severity level for Standard Experience only. For severity levels for MQR mode see `runs[].tool.driver.rules[].defaultConfiguration.level` above. If this field is not defined `runs[].tool.driver.rules[].defaultConfiguration` will be used instead.
	`stacks[]`	The stacks are mapped to the issue flows.
	`stacks[].frames[]`	Each frame of a stack represents one path of the whole issue flow.
	`stack.frames.location`	Follows the same pattern as in locations indicated below.
`runs[].results[].locations[]`		SonarQube only uses the first item in the array. It must be a physical location.
	`physicalLocation.artifactLocation.uri`	Path of the file concerned by the issue. If no location is defined, the issue is raised at the project level.
	`physicalLocation.region`	Text range concerned by the issue. Is defined by the following fields: `startLine` `startColumn`(optional) `endLine` (optional) `endColumn` (optional) If `startColumn`, `endLine`, `endColumn` are not specified,SonarQube automatically retrieves the full coordinates of the line.
	`relatedLocations`	Contains the same fields as `physicalLocation`.

{% hint style="warning" %} The `runs[].results[].level`field which defines the issue's severity will be ignored by SonarQube in MQR Mode. {% endhint %} ### Import file example ```json { "version": "2.1.0", "$schema": "http://json.schemastore.org/sarif-2.1.0-rtm.5", "runs": [ { "tool": { "driver": { "name": "a test linter", "rules": [ { "id": "rule1", "shortDescription": { "text": "XooLint rule 1" }, "fullDescription": { "text": "XooLint rule 1 full description" } }, { "id": "rule2", "shortDescription": { "text": "XooLint rule 2" } } ] } }, "results": [ { "level": "error", "message": { "text": "'toto' is assigned a value but never used." }, "locations": [ { "physicalLocation": { "artifactLocation": { "uri": "src/File0.xoo" }, "region": { "startLine": 1, "startColumn": 5, "endLine": 1, "endColumn": 9 } } } ], "relatedLocations": [ { "message": { "text": "Secondary location message." }, "physicalLocation": { "artifactLocation": { "uri": "src/File0.xoo" }, "region": { "startLine": 2, "startColumn": 1 } } } ], "ruleId": "rule1" }, { "level": "error", "message": { "text": "Issue with flow" }, "locations": [ { "physicalLocation": { "artifactLocation": { "uri": "src/File1.xoo" }, "region": { "startLine": 1, "startColumn": 5, "endLine": 1, "endColumn": 9 } } } ], "stacks": [ { "frames": [ { "location": { "message": { "text": "Stack frame message." }, "physicalLocation": { "artifactLocation": { "uri": "src/File1.xoo" }, "region": { "startLine": 3, "startColumn": 1 } } } }, { "location": { "message": { "text": "Stack frame message 2." }, "physicalLocation": { "artifactLocation": { "uri": "src/File1.xoo" }, "region": { "startLine": 4, "startColumn": 1 } } } } ] } ], "ruleId": "rule2" } ] } ] } ```